Skip to content ↓ | Skip to navigation ↓

If you’re in your 40s or 50s, you probably remember a TV series called The Twilight Zone. (Millennials, think Netflix’s Black Mirror). Every show was its own stand-alone story that took viewers into an alternate reality where things got weird in a hurry followed by twists and turns culminating in a surprise ending.

These types of winding plots aren’t unheard of in the real world. I headhunt in executive-level security positions. Through these experiences, I’ve grown accustomed to one thing – when it comes to finding and negotiating CISO/CSO positions, the process is unique, and there are a lot of surprise endings. Here are a few tips for navigating the unknown.

1. Flexibility can win a great hire

I’m a firm believer that with any search, the devil is in the details. That starts with a VERY well-written job description which includes the title, reporting structure, thorough job description, a solid sales pitch on the company, and experience level.

A security leader job description is difficult because, besides the CEO, it’s the only job that has tentacles into every aspect of the business. Your CISO will probably run point on security operations. Prevention, detection and response, risk management, governance, education, legal and regulatory, business enablement, identity and access management (IAM), and leadership chops are a must. But it gets a little murky after that, and flexibility can be greatly rewarded.

Why? The person you will hire has no formal educational training for this role – because it doesn’t exist.

What he or she learned came through hard-earned experience, trial and error and good mentoring. Industry experience can also be tricky. Several industries have security skills that are transferable because the regulatory frameworks are fairly similar.

2. Be open to candidates with massive salary differences and not-so-defined titles

It’s not uncommon for me to submit two candidates for the same role with as much as an $80K salary difference! Plus, current titles for candidates can run the gamut. Security is still a young industry, and companies value security very differently. I know security executives in smaller markets that can run circles around their big town, high-paid peers.

Make no mistake, in security, there are diamonds in those unsearched hills and valleys as long as you keep an open mind.

3. Significant dialogue and negotiation are the norm

The standard client response to my point above is, “Awesome! I want to lower my salary projection from $210K to $165K. Go find me one of those!” I hate to be the bearer of bad news, but security people are tribal, and boy do they talk. That highly experienced security person that took a leadership role seven years ago in Columbus on a cut-rate salary because nobody really knew what a security leader was supposed to do?

That person who scratched and clawed for budget, grew in trust with the Board, and built a security program to be proud of on elbow grease and smarts? He/she knows full well how underpaid they are. Plus, security professionals are notoriously careful (it’s kind of the gig).

These candidates know their worth, and they are ready to cash in. Also, be prepared for the interview process with security leader candidates to be a highly back-and-forth dialogue. Given the liability at stake for both company and candidate, expect a constructive process where both parties feel comfortable with the role and the compensation package. It can take some time, but it’s worth it.

The process of finding your security leader can be a little unruly. Set your expectations on a search that’s a bit of an adventure. It will pay off.

chance hoagAbout the Author: Chance Hoag owns Talon Placement, a nationwide recruiting firm headquartered in Nashville, TN which is focused exclusively on cybersecurity, risk, privacy, and compliance. You can follow him on LinkedIn and Twitter.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.